Ethics and legal compliance

Ensure your research data meets ethical and legal requirements. Discover how to securely collect, share and dispose of sensitive data.

Popular pages on the Library website

Data management plan

As part of your project, you may be planning to collect sensitive or confidential research data. Before starting any research activity, consider what kind of sensitive data you will collect, how to protect that data, whether it can be securely shared, and methods for safe disposal.

If you are working with external partners, you should clearly specify who owns the copyright and intellectual property rights of the data you plan to collect, along with the licence(s) for its use and reuse.

Sensitive data

'Sensitive data' is a broad term in research data management which typically refers to:

Research data containing personally identifying information, ‘personal data’ and special category data as defined in UK data protection legislation
Commercially sensitive or confidential data, including data generated or used under a restrictive commercial research funding agreement
Data relating to species of plants or animals where the release of data may adversely affect rare or endangered species
Data likely to harm an individual or community or have a significant negative public impact if released

Researchers at the University who are working with human subjects or animals should consult the Research Code of Practice, Academic Ethics Policy as well as the Data Protection Policy.

Special categories of personal data

Special category data is personal data that needs more protection because it is more sensitive. Data is classified as special category data where it includes information about a person's:

racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data (where used for identification purposes)
health
sex life
sexual orientation

Security-sensitive data

Extra care should be taken when handling security-sensitive or extremism-related research data. Security-sensitive research can be that which:

is commissioned by the military
involves the acquisition of security clearances
concerns terrorist or extreme groups
involves IT encryption design for public bodies or business
involves anything else which the University considers as putting researcher(s) at risk

Please contact the Information Governance team for details of where this data should be stored. A record of the permission to store this data will be required.

Safe sharing

Sensitive and confidential research data can be shared ethically and legally when this has been planned and agreed before collection, following the relevant professional, ethical and discipline-specific standards. You can employ strategies to safely share sensitive data; these include obtaining informed consent for data sharing from participants, anonymising the identity of participants, and controlling access to data where necessary.

Informed consent

It is important to tell participants about the purpose and benefits of sharing and archiving their data for future research. Informed consent forms should provide information on data sharing plans, as well as how data will be collected and processed. Set out how you plan to anonymise the data, which data repository you will use, and whether any access restrictions will be in place.

Anonymisation & pseudonymisation

Anonymisation and pseudonymisation are valuable tools that allow data to be shared, whilst preserving the privacy of research participants.

A person’s identity can be disclosed from:

Direct identifiers such as names, address, postcode or pictures.
Indirect identifiers which, when linked with other available information, could identify someone, for example information on workplace, occupation or age.

Anonymisation requires personally identifying information in a dataset to be removed, substituted, distorted, generalised or aggregated.

Pseudonymisation involves processing the data so that it can no longer be attributed to a specific person without the use of additional information.

The UK Data Service provides guidance on de-identifying and anonymising transcript data, as well as the anonymisation process for quantitative data.

Access controls

Sensitive data can be securely shared by restricting access. Access controls allow you to decide who can access the data, what they can do with it, how long they can access it for, and under what restrictions. Common examples of access controls include placing the data under an embargo and making the data available upon request.

The Salford Figshare repository offers embargo options for researchers who wish to restrict access to their data. More information is available on the Figshare guidance page.

Data classification

All research must meet the requirements of data security and data protection that are set out in the GDPR (General Data Protection Regulation).

Data classification is the process of assigning a level of sensitivity of your research data, typically public, internal or confidential.

Classification	Description	Examples
Confidential	Data which is only intended to be handled by identified individuals and is highly sensitive Unauthorised access/disclosure has the potential to cause serious harm to the interests, employees or reputation of the University, or its data subjects	Sensitive personal data e.g. medical records, financial information, protected characteristics Valuable intellectual property intended for commercialisation Data with national security implications
Internal	Data which is intended for a defined audience and may carry some sensitivity Unauthorised access/disclosure has the potential to cause some harm to the interests, employees or reputation of the University, or its data subjects	Limited personal data such as name, address, DOB, phone number Preliminary or unpublished research data intended for publication at later stage
Public	Data available to the public and intended for distribution outside the University Information which can be freely used without potential harm to the interests, employees or reputation of the University, or its data subjects	Published, de-identified research data

Data disposal

You must securely dispose of research data identified for deletion with particular concern for the sensitivity of the data; for example, where data has been anonymised, the raw data may need to be destroyed.

When deciding which data to dispose of, you should consider:

Funder, ethical or legislative requirements
Contractual agreements with external partners
Discipline-specific norms

When data is destroyed it must be irreversible with no chance of recovery. Paper can be shredded using a shredder. Extra care should be taken with sensitive or confidential information and a secure paper destruction service bin used. Digital data may be destroyed by deleting or overwriting information.

Disposal of research data should be carried out in accordance with legal, contractual, regulatory, or ethical requirements and the University’s Information Security Policy.

Intellectual property

Intellectual property rights (IPR) affect the way both you and others can use research data. It is vital to clarify rights in relation to your research data and any secondary data, as it will affect your ability to use and share the data.

The University owns all intellectual property, including research data and software, generated by researchers in the course of academic research. You can find more information, including details of certain exceptions, in the University’s Intellectual Property Policy.

Collaborative research

Where external partners are involved, you must ensure research data ownership is established and confirmed contractually in advance of the research project starting. Data ownership should be confirmed in accordance with the University's Intellectual Property Policy and relevant third-party agreements. Access to research data by third parties must be managed in accordance with the Information Security Policy.